In this guide, you will learn how to install an SSL/TLS certificate on an SAP NetWeaver Application Server.
On SAP, you do not edit a config file or point the server at certificate files on disk. Instead, you work inside Trust Manager (transaction STRUST): you import the CA’s certificate response into the SSL server PSE, add the intermediate and root certificates to the certificate list, save the PSE, and restart the Internet Communication Manager (ICM) so the new certificate takes effect. The final section covers where to buy the right certificate for SAP.
Generate a CSR code on SAP
If you’ve already created the CSR and received the SSL certificate from your CA, skip the CSR section and jump straight to the installation steps.
When you apply for an SSL certificate, your first step is to generate a CSR (Certificate Signing Request) and send it to the Certificate Authority for validation. Generating the CSR also creates the private key, which stays inside the SSL server PSE on your SAP server. You have two options:
- Generate the CSR automatically with our CSR Generator.
- Follow our step-by-step tutorial on how to create the CSR on SAP.
Submit the CSR to the Certificate Authority during your order. Once the CA validates it and issues your certificate, continue with the installation below.
Install an SSL certificate on SAP
After the CA delivers your SSL files, download the ZIP archive and extract its contents. SAP’s Trust Manager expects the signed public-key certificate together with the CA chain in PKCS#7 format (a single file containing the full path up to the root). Alternatively, the CA may issue the certificate in PEM format: a text file whose certificates each begin with —–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—–.
Step 1: Prepare the SSL files
For your SSL certificate to work on SAP, you’ll need the following files:
- The SSL certificate itself, usually with an .cer, .crt, or .pem extension (X.509 format).
- The intermediate certificate, also known as the CA bundle or chain certificate. Note: some CAs supply two intermediate certificates for broader compatibility. Keep each one in its own .txt file and add them one at a time during the certificate-list step.
- The root certificate from your CA (if you don’t have it, ask your CA).
Open these files in a plain-text editor and copy the contents of each certificate into its own file with a .txt extension. You should end up with at least three .txt files holding your primary, intermediate, and root certificates.
Step 2: Import your certificate response into the SSL server PSE
Once your files are ready, do the following inside SAP:
- Log in to SAP and run transaction STRUST to open Trust Manager. (Switch to change mode if the PSE tree is read-only.)
- Expand the SSL server PSE node.
- Double-click your application server to open its SSL server Standard PSE.
- In the PSE maintenance section, choose Import Cert. Response.
- Click Load local and upload your signed SSL certificate (the .crt file). Alternatively, paste the contents of your certificate .txt file into the box. Be sure you are importing into the SSL server PSE. This is easy to miss.
- Your certificate should now appear in the PSE maintenance section.
- Click Save.
Step 3: Add the intermediate and root certificates
Next, add the intermediate and root certificates to the certificate list. Depending on where your certificates are stored, use one of the three methods below.
From the certificate database:
- In the certificate section, choose Import certificate.
- In the Import Certificate dialog, select the Database tab.
- Choose your certificate from the database and click Enter. The certificate appears in the certificate section.
- Click Add to Certificate List.
- Click Save.
From the file system:
- In the certificate section, choose Import certificate.
- In the Import Certificate dialog, specify the file name from the file system.
- Choose Base64 as the certificate’s file format, then click Enter. The certificate appears in the certificate maintenance section.
- Click Add to Certificate List.
- Click Save.
From a different PSE:
- Expand the node for the PSE that holds the certificate, then double-click one of its application servers.
- In the PSE maintenance section, double-click your certificate in the certificate list.
- Under the SSL server PSE node, double-click your application server.
- Click Add to Certificate List.
- Click Save.
Step 4: Restart the ICM
Saving the PSE is not enough on its own. The Internet Communication Manager (ICM) keeps the previous certificate loaded until it re-reads the PSE. Newer NetWeaver releases (702 and 710 and later) reload the SSL PSE automatically, but the reliable, version-independent step is to restart the ICM:
- Run transaction SMICM.
- From the menu, choose Administration > ICM > Exit Soft > Global.
A soft restart applies the new certificate without taking the whole SAP system down. Note that all SSL session caches are cleared, so new connections perform a full TLS handshake. On very busy servers this can briefly raise CPU usage. Once the ICM is back up, your SSL certificate is live on your SAP system.
Test your SSL installation
After you install the certificate, run a diagnostic scan to confirm everything is configured correctly, since some chain or configuration issues only show up under testing. Our SSL checker test your certificate in seconds and flag missing intermediates, vulnerabilities, or hostname mismatches. If your SAP server is not reachable from the public internet, you can still verify locally: open the HTTPS service in a browser and confirm the padlock shows a valid, trusted certificate with the correct hostname.
Where to buy the best SSL certificate for SAP?
When buying an SSL certificate, weigh three things: validation type, price, and customer service. At SSL Dragon, we offer the full range of SSL certificates at competitive prices, backed by five-star support. All our certificates are signed by trusted Certificate Authorities, so they’re fully compatible with SAP NetWeaver Application Server. Whether you need an affordable Domain Validation certificate or a premium Extended Validation product, we’ve got you covered.
Not sure which certificate to pick? Our SSL Wizard recommends the best option for your project.
Frequently Asked Questions
Open Trust Manager with transaction STRUST, expand the SSL server PSE node, and double-click your application server to see the active certificate and its certificate list. To list every certificate together with its expiry date, run the report SSF_ALERT_CERTEXPIRE via transaction SA38 (or SE38), then review the certificate list, the PSEs, and the SSL servers. The report shows each installed certificate and when it expires.
Renewal follows the same procedure as a fresh install. Before the current certificate expires, generate a new CSR, order a new certificate from your CA, then import the certificate response into the SSL server PSE, refresh the certificate list, save, and restart the ICM, exactly as described in the installation steps above.
An SSL/TLS certificate encrypts the traffic between browsers (and other clients) and your SAP NetWeaver Application Server, protecting credentials and business data in transit. Without it, browsers flag the connection as “Not secure,” and HTTPS-only services and integrations won’t trust your server.
STRUST accepts the certificate response as a PKCS#7 package that includes the full chain up to the root, or as a PEM text file listing the required certificates between the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– markers. When importing individual intermediate or root certificates from the file system, choose the Base64 format.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


